Vector35
Array access on struct with array as the single member confuses the analyser
Version and Platform (required):
- Binary Ninja Version: 4.2.5821-dev
- OS: macOS
- OS Version: 15.1 Beta (24B5009l)
- CPU Architecture: Apple Silicon (M3)
Bug Description:
Array access using complex math confuses the analyser. Not sure if I've defined something wrong, I'm fairly confident that my type is correct, it seems to be an 0x18-sized structure array inside of a larger structure. The math it does ends up with allocType * 0x18 anyway.
Steps To Reproduce: Not sure, maybe the disassembly gives you a clue.
Expected Behavior:
return (&pAllocations->entries[0]:0x10.q)[zx.q(allocType) * 3]
should be
return pAllocations->entries[allocType].ptr;
Screenshots/Video Recording:
Disassembly
LLIL
MLIL
HLIL
@negasora I can share the type definitions. Here they are:
enum AMD_TTL_ALLOCATION_TYPE : uint32_t
{
ALLOCATION_TYPE_EXT_SVCS = 0x1,
ALLOCATION_TYPE_IPI = 0x4,
ALLOCATION_TYPE_TLS = 0x5,
ALLOCATION_TYPE_CGS_DEVICE = 0x6,
ALLOCATION_TYPE_MAX = 0x16
};
struct AMD_TTL_ALLOCATION_ENTRY
{
enum AMD_TTL_ALLOCATION_TYPE allocType;
uint64_t length;
void* ptr;
};
struct AMD_TTL_ALLOCATIONS
{
struct AMD_TTL_ALLOCATION_ENTRY entries[0x16];
};
Seems like it gets fixed if I do this
It looks like the problem is that if it's a pointer to a structure with an array at offset 0 it will get confused (?)
Used a pointer to the type used in the array inside of the structure. Compare the HLIL image to the image you are referring to and look at the type definitions to understand further.
